Privacy Policy

1. Scope and applicable law

This Policy applies to personal data we collect in the course of operating our Services across India, the United Arab Emirates, and any other jurisdictions where we engage with you.

• India: Our processing of personal data of individuals in India is governed primarily by the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology Act, 2000 (and rules made under it).
• UAE: Our processing of personal data of individuals in the UAE is governed primarily by Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”) and applicable sectoral regulations, including those of the Central Bank of the UAE (“CBUAE”) where relevant.
• Other regions: Where individuals in other jurisdictions (including the EU/UK) interact with us, we will comply with applicable data protection laws to the extent they apply to our processing.

2. Information we collect

The information we collect depends on how you interact with us — whether you are visiting our website, signing up as a business user, transacting through our platform, or being onboarded as a beneficiary of one of our customers.

3. How we use your information

We process your personal data for the following purposes:

• Providing, operating, and improving the Services, including vendor payments, AP/AR management, global collections, rent collection, utility bill payments, AI bank-statement analysis, lead management, corporate cards and credit, invoice discounting, smart reconciliation, and integrated financial dashboards.
• Onboarding business customers and their authorised users, performing KYC/KYB checks, sanctions screening, and meeting regulatory and partner-bank requirements.
• Authenticating you, securing your account, detecting and preventing fraud, financial crime, money laundering, and other unauthorised activity.
• Routing, authorising, settling, and reconciling payments and collections across India, UAE, and supported international corridors.
• Generating analytics, insights, cash-flow patterns, anomaly flags, and ROI estimates from data you or your business provide — including via AI-powered features such as our AI Statement Analysis and AI Agents.
• Communicating with you about your account, transactions, service changes, security notices, and customer-support interactions.
• Marketing our products and sharing relevant content, where permitted by law and your communication preferences.
• Complying with our legal, tax, accounting, and regulatory obligations, including responding to lawful requests from courts, regulators, and law-enforcement authorities in India, the UAE, and other applicable jurisdictions.
• Establishing, exercising, or defending legal claims and enforcing our agreements.

4. AI-powered features and automated processing

Certain features of our Services use machine-learning models or AI to assist with tasks such as:

• Reading and structuring data from uploaded bank statements (AI Statement Analysis).
• Flagging potentially anomalous or duplicate transactions for review.
• Suggesting actions and automating finance workflows via AI Agents.
• Generating CO₂ estimates and other analytics from transaction data.

These features are designed to assist, not replace, human decision-making. We do not make decisions producing legal or similarly significant effects on you solely on the basis of automated processing without appropriate safeguards. Where applicable law gives you a right to request human review of an automated decision, you may exercise that right by contacting us at sales@finigenie.com.

We use de-identified, aggregated, or otherwise non-personal data derived from the Services to train and improve our models. We do not sell your personal data to third parties for their own marketing.

5. When and with whom we share your information

We share personal data only as described in this Policy and as required to operate the Services. Categories of recipients include:

• Partner banks, NBFCs, and licensed payment institutions — such as HDFC Bank, ICICI Bank, State Bank of India, Axis Bank, Yes Bank, AU Small Finance Bank, and other regulated partners — to authorise, settle, and reconcile payments and to deliver lending and card products.
• Payment networks and acquirers — including Visa, Mastercard, NPCI, BBPS, PayPal, Geidea, Razorpay, PhonePe, and similar providers — for transaction processing and settlement.
• KYC, identity verification, and fraud-prevention providers — such as Signzy, FACE, and similar partners.
• Stablecoin and virtual-asset service providers — where we enable settlement using regulated stablecoin rails (for example, USDC), we share transaction information with regulated virtual-asset service providers in accordance with applicable law, including UAE Virtual Asset Regulatory Authority (“VARA”) and CBUAE requirements where they apply.
• Cloud-hosting, infrastructure, and security providers — who host our platform and maintain its security under appropriate contractual safeguards.
• Analytics, marketing, and support tools — used to understand usage and reach customers, subject to consent where required.
• Professional advisers, auditors, and insurers — under duties of confidentiality.
• Government, regulators, courts, and law-enforcement — where we are legally required, or where disclosure is necessary to protect our rights, the rights of others, or to prevent harm.
• Affiliates and group companies — between Ragilly Technologies Private Limited (India) and Ragilly Payment Services Provider Co. LLC (UAE), and any future affiliates, to operate the Services across regions.
• In a business transfer — in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality undertakings.

All third parties who receive personal data from us are required, by contract or by law, to keep it confidential and to use it only for the purposes for which it was shared.

6. Cross-border data transfers

Because we operate in India and the UAE and use international service providers, your personal data may be transferred to, stored in, or processed in countries other than where you are located. When we transfer personal data internationally, we put appropriate safeguards in place, such as:

• Contractual data-protection commitments with our service providers and affiliates.
• Encryption in transit and at rest where reasonably feasible.
• Transfers permitted under the DPDP Act (for personal data of individuals in India) and the UAE PDPL (for personal data of individuals in the UAE), including transfers to jurisdictions recognised as offering an adequate level of protection or transfers subject to standard contractual safeguards.

If you are located in the UAE, your data may be transferred to and processed in India and other jurisdictions; if you are located in India, your data may be transferred to and processed in the UAE and other jurisdictions. By using the Services, you acknowledge such cross-border processing as described in this Policy.

7. Cookies and tracking technologies

We use cookies and similar technologies for the following purposes:

• Strictly necessary cookies that enable core functionality such as logging you in and remembering your session.
• Performance and analytics cookies (for example, Google Analytics) that help us understand how the Services are used.
• Functionality cookies that remember your preferences.
• Marketing and advertising cookies (for example, from LinkedIn or Meta) that help us deliver relevant content and measure campaign performance, used only where permitted by your consent or applicable law.

You can manage cookie preferences through your browser settings and through any cookie banner shown on our website. Disabling certain cookies may affect the functionality of the Services.

8. How long we keep your information

We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, including to provide the Services, comply with our legal, tax, accounting, audit, and regulatory obligations, resolve disputes, and enforce our agreements. Specifically:

• KYC, AML, and transaction records are retained for the minimum period required under applicable law (typically not less than five years from the date of the transaction or end of the relationship under Indian and UAE law).
• Account information is retained while your account is active and for a reasonable period after closure to address regulatory or operational needs.
• Marketing data is retained until you withdraw consent or opt out, whichever is earlier.

When retention is no longer necessary or lawful, we will delete, anonymise, or aggregate the data.

9. Security

We maintain reasonable and appropriate organisational, technical, and physical safeguards designed to protect personal data, including:

• Encryption of data in transit (TLS) and, where reasonably feasible, at rest.
• Role-based access controls and authentication for our personnel.
• Tokenisation of sensitive card data, in line with applicable PCI requirements through our certified processing partners.
• Regular security reviews, vulnerability monitoring, and incident-response procedures.

Despite our efforts, no system can be guaranteed to be 100% secure. You are responsible for keeping your account credentials confidential, and for promptly notifying us of any suspected unauthorised access to your account.

If we become aware of a personal-data breach affecting you, we will notify you and applicable regulators in accordance with applicable law.

10. Your rights

Depending on the laws of your country, you may have the following rights:

• Access — to obtain confirmation of, and a copy of, the personal data we hold about you.
• Correction — to ask us to correct inaccurate or incomplete data.
• Erasure / Deletion — to ask us to delete data we no longer need.
• Withdrawal of consent — where we rely on your consent, you may withdraw it at any time without affecting prior processing.
• Objection / Restriction — to object to certain processing or ask us to limit it.
• Data portability — to receive certain data in a structured, machine-readable format.
• Nominate — (under the DPDP Act, India) to nominate another person to exercise your rights in the event of your death or incapacity.
• Complain — to a competent data-protection authority, including the Data Protection Board of India and the UAE Data Office, as applicable.

To exercise any of these rights, email sales@finigenie.com. We may need to verify your identity before acting on a request. We will respond within the timelines required by applicable law.

11. Children

The Services are intended for businesses and individuals aged 18 and above. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected such data, we will delete it. If you believe we may have collected data from a minor, please contact us at sales@finigenie.com.

12. Third-party websites and services

Our Services may link to or integrate with third-party websites and services (for example, partner banks, processors, ERPs, accounting software, and analytics tools). This Policy does not apply to those third parties, and we are not responsible for their privacy practices. Please review their policies before using them.

13. Changes to this Policy

We may update this Policy from time to time. The updated version will be indicated by a revised “Last updated” date and will be effective when posted on our websites. For material changes, we will provide more prominent notice (for example, via email or an in-product notification). Please review this Policy periodically.